Continuing on from my post from a couple of days ago, here are my notes from Day 2 of the 25th Chaos Communications Congress in Berlin. I’ve been slow with getting these posted – Day 2 was December 28th. Better late than never, right?
As with the previous posts, for a different perspective and selection of talks I highly recommend checking out Security4All’s blog post about Day 2 as well.
Finally, if you’re particularly interested in anything I’ve written about, you should check out the official recordings here. Most of the talks have been posted both as direct downloads and torrents. I can’t even begin to say how amazing this is given that the conference is barely over. From what I hear as well the live streams coming from the conference while it was running were also totally solid.
And now for the actual comments about this day’s talks!
Exhaustion, jet-lag, and a late night at the space station made me miss a few talks I wanted to see, but they all conflicted anyway so I’m just going to watch the recordings on my long flight home on Sunday :) I made it to these talks:
- I feel like I somewhat still don’t understand this attack, despite having read tons about it – this probably has to do with not also reading more about TCP/IP design.
- The gist is that TCP connection window scaling reduces the effectiveness of the source port randomization, which was never a security feature anyway but intended for multiplexing…
- Also there was something about resource starvation by partially opening connections akin to SYN flooding.
- definitely wins the “cutest props” award for their demo of tiny robots (link to video!)
- the robots they built can be made for about €15 in quantities of 25+ using off-the-shelf parts exclusively except for the tiny wheels which they stamped out of rubber
- the plans are GPLv3 and CC (yay!)
- the “wheels” are driven by cellphone vibration motors with the weights replaced by rubber wheels
- they re-program eachother’s firmware on the fly and indicate their firmware status as well as other conditions via multi-colour LED’s
- lots and lots more info at their site if you are interested: http://warrantyvoidifremoved.com/formica
Banking Malware 101, or, Stuff I Found On My Sister’s Dead Laptop And Now She Has A Mac
- in all seriousness, I found three of the mentioned malware families on the hard drive of my sister’s dead machine, and she now has a Mac.
- given that this is what I deal with in my day-job, I took a lot of notes on this one
- what set this talk apart from your average Banking Trojans talk, which made it much more than a 101 in my opinion, was the fact that the researcher had gained access to the Command and Control servers for several variants of banking malware, and worked in conjunction with AusCERT to notify the people whose banking info he found on these servers.
- all of the covered trojans affected only Internet Explorer; the only one which has thusfar affected Firefox was ChromeInject, a drive-by-installer targeting users of the Greasemonkey plugin. There’s more on it here; it wasn’t covered at all in the talk, and it no longer works.
- the trojan Nethell stole cookies, usernames/passwords, stored credentials (saved passwords) and could defeat “visual keyboards”
- another sample (Zeus / Wsnpoem / Zbot) could inject arbitrary HTML into forms and ask for the secondary transaction numbers in use in a number of European banks
- they had some excellent sample collection and analysis automation which I’m definitely going look into more, using CaptureHPC, Honeyclient, phoneyc
- they created a simulator based on AutoIT called “Simuser” which they could write behavior templates for
- if you’re interested, here is the presenter’s blog post linking to the recording and talk slides.
ascii’s Tricks: makes you smile
- A++ did indeed make me smile
- while the speaker was a little hard to follow at times, the talk was colourful and entertaining
- he showed off several small hacks involving sudo timeouts
- apparently putting localhost into your server’s DNS very much breaks the Same Origin Policy… oops
- he showed off a GREAT technique for fooling people into copying and pasting random things into shell prompts by using some HTML / CSS obfuscation in demo code snippets
- he presented new tools to do ICMP PMTU Denials of Service and blind SQL injection
- sadly, his website is down but hopefully it will reappear soon so that the tools and PoC’s can be obtained
I have five more pages of notes to write up on days 3 and 4, but I’ll try to get it out tonight.